The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-68818

CVE-2025-68818: Linux Kernel Use-After-Free Vulnerability

CVE-2025-68818 is a use-after-free vulnerability in the Linux kernel SCSI qla2xxx driver that causes NULL pointer dereference in target-mode. This article covers the technical details, affected versions, and mitigation.

Updated: January 22, 2026

CVE-2025-68818 Overview

A null pointer dereference vulnerability has been identified in the Linux kernel's SCSI qla2xxx driver. The flaw exists in the __qla2x00_abort_all_cmds() function, where code added to perform lockless command completion in the abort path failed to properly check the sp->cmd_type before assuming TYPE_SRB. This results in a jump to an invalid pointer when operating in target-mode with TYPE_TGT_CMD, causing a kernel crash.

Critical Impact

This vulnerability can cause a kernel NULL pointer dereference leading to system crash and denial of service, particularly affecting systems using QLogic Fibre Channel HBAs in target-mode configurations.

Affected Products

  • Linux kernel with qla2xxx SCSI driver
  • Systems using QLogic Fibre Channel Host Bus Adapters (HBAs)
  • Linux kernel versions prior to the security patch commits

Discovery Timeline

  • 2026-01-13 - CVE CVE-2025-68818 published to NVD
  • 2026-01-13 - Last updated in NVD database

Technical Details for CVE-2025-68818

Vulnerability Analysis

The vulnerability stems from a regression introduced in commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9, which modified the __qla2x00_abort_all_cmds() function to call sp->done() without holding a spinlock. The critical flaw is that this new code path failed to validate the command type before processing.

When the driver encounters a TYPE_TGT_CMD (target-mode command) instead of the assumed TYPE_SRB (SCSI Request Block), the function attempts to dereference a null or invalid pointer, resulting in a kernel oops with the error "kernel NULL pointer dereference, address: 0000000000000000".

The crash manifests during ISP (Intelligent Storage Processor) error recovery operations, specifically when the QLogic adapter experiences a system error (async event 0x8002) and attempts to abort all outstanding commands. The qla2x00_abort_isp_cleanup() path triggers the vulnerable code when processing commands that are not of the expected type.

Root Cause

The root cause is an improper type check in the lockless command completion code path within __qla2x00_abort_all_cmds(). The original problematic commit introduced code that assumed all SCSI Request Blocks (SRBs) would be of TYPE_SRB, but in target-mode operations, commands can be of TYPE_TGT_CMD. This type confusion leads to dereferencing an invalid function pointer when calling sp->done(), as the callback structure differs between command types.

Additionally, a subsequent commit (4475afa2646d) attempted to fix a race condition by restoring the spinlock, but this left the buggy type-assumption code in place, creating redundant and still-vulnerable code above the switch statement that properly handles different command types.

Attack Vector

The vulnerability is triggered locally through specific operational conditions rather than direct exploitation. The attack vector involves:

  1. A system configured with QLogic Fibre Channel HBAs operating in target-mode
  2. An ISP system error condition occurring (either naturally or induced)
  3. The error recovery path invoking qla2x00_abort_isp() which calls qla2x00_abort_all_cmds()
  4. The vulnerable code path processing TYPE_TGT_CMD commands without proper type validation

The vulnerability results in a kernel panic with the call trace showing:

  • __qla2x00_abort_all_cmds() in the qla2xxx module
  • Triggered during qla2x00_do_dpc() deferred processing context
  • CPU attempting to execute instructions at address 0x0

Detection Methods for CVE-2025-68818

Indicators of Compromise

  • Kernel panic messages containing "kernel NULL pointer dereference, address: 0000000000000000"
  • Call traces in kernel logs showing __qla2x00_abort_all_cmds and qla2xxx module references
  • System error async events (0x8002) from qla2xxx driver preceding crashes
  • ISP error recovery messages followed by system hangs or reboots

Detection Strategies

  • Monitor kernel logs (/var/log/kern.log, dmesg) for qla2xxx driver errors and NULL pointer dereference oops
  • Implement watchdog monitoring for unexpected system reboots on servers with QLogic HBAs
  • Review crash dumps for call traces originating from qla2xxx module functions
  • Deploy kernel tracing (ftrace/perf) on __qla2x00_abort_all_cmds to detect abnormal execution patterns

Monitoring Recommendations

  • Configure centralized logging to capture kernel panic events from affected systems
  • Set up alerting for qla2xxx driver error messages, particularly ISP System Error events
  • Monitor system uptime metrics for unexpected restarts on storage servers
  • Implement hardware monitoring for QLogic adapter health status

How to Mitigate CVE-2025-68818

Immediate Actions Required

  • Update the Linux kernel to a version containing the security fix commits
  • If immediate patching is not possible, consider temporarily disabling target-mode on affected QLogic HBAs
  • Review system logs for any evidence of past crashes related to this vulnerability
  • Schedule maintenance windows for kernel updates on production systems

Patch Information

The vulnerability has been addressed through multiple kernel commits that revert the problematic code and remove the redundant, buggy type-assumption logic. The fix ensures that command type validation is properly performed before calling completion callbacks.

Relevant patch commits are available from the Linux kernel stable tree:

  • Kernel Commit 1c728951bc76
  • Kernel Commit b10ebbfd59a5
  • Kernel Commit b57fbc88715b
  • Kernel Commit c5c37a821bd1
  • Kernel Commit e9e601b7df58

Workarounds

  • Avoid using QLogic HBAs in target-mode configuration until patching is complete
  • Implement redundant storage paths to minimize impact of potential driver crashes
  • Configure kdump or other crash collection mechanisms to capture diagnostic information
  • Consider using alternative Fibre Channel drivers if target-mode functionality is not required
bash
# Check current kernel version and qla2xxx module
uname -r
modinfo qla2xxx | grep -E "^(version|filename)"

# Verify if the patch has been applied by checking module version
# or reviewing the kernel changelog for the fix commits

# Monitor for qla2xxx errors in real-time
dmesg -w | grep -i qla2xxx

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeUse After Free
  • Vendor/TechLinux Kernel
  • SeverityNONE
  • CVSS ScoreN/A
  • Known ExploitedNo
  • Impact Assessment
  • ConfidentialityNone
  • IntegrityNone
  • AvailabilityNone
  • Technical References
  • Linux Kernel Commit Update
  • Linux Kernel Commit Update
  • Linux Kernel Commit Update
  • Linux Kernel Commit Update
  • Linux Kernel Commit Update
  • Related CVEs
  • CVE-2026-23462: Linux Kernel Use-After-Free Vulnerability
  • CVE-2026-23458: Linux Kernel Use-After-Free Vulnerability
  • CVE-2026-23435: Linux Kernel Use-After-Free Vulnerability
  • CVE-2026-23456: Linux Kernel Use-After-Free Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English